CN113691537B - Malicious encrypted traffic detection method based on graph analysis - Google Patents

Malicious encrypted traffic detection method based on graph analysis Download PDF

Info

Publication number
CN113691537B
CN113691537B CN202110980179.1A CN202110980179A CN113691537B CN 113691537 B CN113691537 B CN 113691537B CN 202110980179 A CN202110980179 A CN 202110980179A CN 113691537 B CN113691537 B CN 113691537B
Authority
CN
China
Prior art keywords
features
encrypted traffic
file
detection method
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110980179.1A
Other languages
Chinese (zh)
Other versions
CN113691537A (en
Inventor
李祺
杨彦青
赵键锦
米嘉欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN202110980179.1A priority Critical patent/CN113691537B/en
Publication of CN113691537A publication Critical patent/CN113691537A/en
Application granted granted Critical
Publication of CN113691537B publication Critical patent/CN113691537B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/22Matching criteria, e.g. proximity measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Physics & Mathematics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a malicious encrypted traffic detection method based on graph analysis, and relates to the technical field of network communication. The malicious encrypted traffic detection method based on graph analysis comprises the following steps: extracting the marked features of the encrypted flow; training the GraphSAGE graph model by adopting the characteristics of the encryption flow; and extracting the characteristics of the encrypted flow to be detected, and inputting the characteristics into the trained GraphSAGE graph model to judge whether the encrypted flow is malicious or not. The detection method can quickly and accurately judge whether the encrypted traffic is malicious or not, and the encrypted traffic does not need to be decrypted.

Description

Malicious encrypted traffic detection method based on graph analysis
Technical Field
The invention relates to the technical field of network communication, in particular to a malicious encrypted traffic detection method based on graph analysis.
Background
Along with the expansion of the application scale of the Internet, the awareness of network security risk prevention is continuously enhanced, privacy data protection is realized by more and more applications through an encryption means, and the encryption flow rate in the network is higher and higher. Meanwhile, an attacker also hides own information through an encryption means, and malicious codes of encrypted communication and malicious attacks of encrypted channels are used, which brings huge challenges to the traditional rule-based traffic detection method.
At present, two main detection methods for encrypted traffic attack are available: and detecting after decryption and detecting without decryption. The gateway device in the industry mainly uses a method for decrypting traffic to detect the attack, but the method consumes a large amount of resources and is high in cost, the original purpose of encryption is also violated, and the decryption process is strictly limited by laws and regulations related to privacy protection. In view of protecting user privacy, a method for detecting traffic without decryption is gradually noticed by researchers in the industry, and this method determines encrypted traffic by using already known data resources without decrypting the traffic.
The conventional undecrypted flow detection method is mainly based on quintuple information. However, in the current network environment, with the proposition and use of a port hopping technology, a dynamic port technology and a tunnel technology, a traffic detection method based on quintuple information such as a port cannot meet the detection requirement.
Disclosure of Invention
The invention aims to provide a malicious encrypted traffic detection method based on graph analysis, which can quickly and accurately judge whether the encrypted traffic is malicious or not and does not need to decrypt the encrypted traffic.
Embodiments of the invention may be implemented as follows:
in a first aspect, the present invention provides a malicious encrypted traffic detection method based on graph analysis, where the method includes:
extracting the characteristics of the marked encrypted flow;
training the GraphSAGE graph model by adopting the characteristics of the encryption flow;
and extracting the characteristics of the encrypted flow to be detected, and inputting the characteristics into the trained GraphSAGE graph model to judge whether the encrypted flow is malicious or not.
In an alternative embodiment, the features include statistical features and image features.
In an alternative embodiment, the sample format of the encrypted traffic that has been marked is: [ tag, ID number, feature, G ];
wherein, the label indicates that the encrypted traffic is malicious traffic or normal traffic;
the ID number represents the identity of the encrypted traffic;
the features represent statistical features or image features;
g represents G ═ V, E, X;
wherein V ═ V 1 ,v 2 ,v 3 V. is a set of nodes of image features of the encrypted traffic, v i A node indicating encrypted traffic of ID number i;
E={e ij ,e pq ,e xy v.represents a set of undirected edges, if v i And v j Has a relationship of e ij 1, if v i And v j If there is no relation, then e ij =0;
X={x 1 ,x 2 ,x 3 V. represents a set of node attributes, x i Representing the statistical characteristics of the node with ID number i.
In the alternativeIn the embodiment (1), v i ={x i ,y i I.e. v i There are two representations x i And y i Wherein x is i Representing a set of attribute features, y i A gray scale map is represented.
In an alternative embodiment, v i And v j The method for judging whether the relationship exists comprises the following steps:
calculating the similarity of each node and the rest nodes;
according to the similarity, constructing a similarity matrix S:
Figure BDA0003228804070000031
wherein S is ij Representing the similarity of node i and node j, S 11 =S 22 =···=S NN =1;
Obtaining an adjacent matrix A according to the similarity matrix S:
Figure BDA0003228804070000032
wherein, if and only if S ij At S i1 To S iN When the first K rows are in middle row, a ij 1, in the rest cases a ij =0;
When the certificate authority and the certificate authority of the encrypted traffic are the same and a ij When the value is equal to 0, then e ij 1; rest cases e ij =a ij
In an alternative embodiment, the statistical features include connection features, SSL features, and certificate features, and the method of extracting the statistical features includes:
analyzing the sample data of the encrypted flow to generate a log file;
connection features, SSL features and certificate features are extracted from the log file.
In an alternative embodiment, the log files include a conn.log file, a ssl.log file, and an x509.log file, and the step of extracting the connection features, SSL features, and certificate features from the log files includes:
extracting connection features from conn.log files;
extracting SSL characteristics from the ssl.log file;
certificate features are extracted from an x509.log file.
In an alternative embodiment, the method of extracting image features comprises:
flow segmentation: splitting continuous original encrypted flow into a plurality of session files;
flow cleaning: deleting information data which can interfere with the classification result and cause the model to generate deviation in the session file;
generating a picture: and processing the cleaned session file to generate image characteristics.
In an alternative embodiment, the step of generating the picture comprises:
processing the first 784 bytes of the cleaned session file in a uniform length;
converting the byte into an integer from 0 to 255, so that each byte corresponds to a gray pixel value;
784 bytes are arranged into a 28 × 28 matrix and are constructed into a 28 pixel wide and 28 pixel high gray scale image, i.e., an image feature.
In an alternative embodiment, the step of performing uniform length processing on the first 784 bytes of the washed session file comprises:
intercepting the length of the first 784 bytes of a session file with the file length larger than 784 bytes;
for a session file with a file length of less than 784 bytes, 0x00 is appended to the back of the session file until the file length is 784 bytes.
The malicious encrypted flow detection method based on graph analysis provided by the embodiment of the invention has the beneficial effects that:
according to the detection method, firstly, the marked features of the encrypted flow are extracted, the model is trained by the features, then the features of the encrypted flow to be detected are extracted, and the trained GraphSAGE graph model is input, so that whether the encrypted flow to be detected is malicious or not can be judged, whether the encrypted flow is malicious or not can be judged quickly and accurately, and the encrypted flow does not need to be decrypted.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a flowchart of a malicious encrypted traffic detection method based on graph analysis according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, as presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be obtained by a person skilled in the art without inventive step based on the embodiments of the present invention, are within the scope of protection of the present invention.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
It should be noted that the features of the embodiments of the present invention may be combined with each other without conflict.
Referring to fig. 1, the present embodiment provides a malicious encrypted traffic detection method based on graph analysis (hereinafter referred to as "detection method"), which includes the following steps:
s1: features of the encrypted traffic that have been marked are extracted.
Wherein, the marked encrypted traffic refers to encrypted traffic which is marked as malicious or non-malicious. The features include statistical features and image features.
Firstly, analyzing sample data of encrypted flow to generate log files, wherein the log files comprise a conn.log file, a ssl.log file and an x509.log file; then, statistical features are extracted from the log file, the statistical features including connection features, SSL features, and certificate features.
Specifically, each session is assigned a unique index and a respective log file is generated corresponding to each session when each connection is processed. When a ssl.log file contains SSL/TLS session information for a connection, its unique index can be used, and the certificate features associated with that session can be found in the x509.log file.
Log file contains connection characteristics such as source IP address, destination IP address, ports used, connection time, number and size of upstream and downstream packets, etc. Log file, therefore, extracts connection features from conn.
Log files contain SSL features such as timestamp, version, agreed key during handshake, server name, etc. Thus, SSL features are extracted from the SSL.
Log file contains certificate features such as certificate serial number, version, issuer, validity period, key type, length, server DNS, etc. Thus, certificate features are extracted from the x509.log file.
The method for extracting the image features comprises the following steps:
flow segmentation: taking the session file as the granularity of the segmentation encrypted flow, splitting the continuous original encrypted flow into a plurality of session files, wherein the output data format of the session files is pcap so as to be adapted to a common processing tool;
flow cleaning: deleting information data which can interfere with the classification result and cause the model to generate deviation in the session file, specifically, firstly, randomizing the MAC address and the IP address in a data link layer and a network layer, and removing specific information which interferes with the classification result, such as the MAC address and the IP address; secondly, deleting null streams and repeated data which may cause the deviation of the model;
generating a picture: and processing the cleaned session file to generate image characteristics.
The picture generation step comprises the following steps:
firstly, carrying out uniform length processing on the first 784 bytes of a cleaned session file; intercepting the length of the first 784 bytes of a session file with the file length larger than 784 bytes; for a session file with a file length of less than 784 bytes, 0x00 is appended to the back of the session file until the file length is 784 bytes.
Then, converting the byte into an integer from 0 to 255, so that each byte corresponds to a gray pixel value;
finally, 784 bytes are arranged into a 28 × 28 matrix and constructed into a 28 pixel wide and 28 pixel high grayscale image, i.e., an image feature.
There are many methods for extracting image features, and any method that can convert bytes of encrypted traffic into images can be applied to the GraphSAGE graph model.
S2: and training the GraphSAGE graphic model by adopting the characteristics of the encrypted flow.
Specifically, a KNN graph of the encrypted flow is constructed by using the statistical features and the image features extracted in S1, so that the GraphSAGE graph model carries out supervised secondary classification on the KNN graph, and the training of the GraphSAGE graph model is completed. Specifically, a high-level embedded vector of the encrypted flow is obtained by aggregating the characteristics of the neighbors of the high-level embedded vector, and finally the vector is input into a classifier to obtain discriminant classification, wherein the setting of parameters can be optimized according to different data sets.
In the KNN graph, the incidence relation between the nodes is constructed by image features, and the attributes of the nodes come from statistical features.
Specifically, the sample format of the marked encrypted traffic is: [ tag, ID number, feature, G ].
Wherein, the label indicates that the encrypted traffic is malicious traffic or normal traffic.
The ID number represents the identity of the encrypted traffic, such that each encrypted traffic has a unique identity.
The features represent statistical features or image features.
G is represented by G ═ V, E, X.
Wherein V ═ { V ═ V 1 ,v 2 ,v 3 V. is a set of nodes that encrypt the image features of the traffic, v i And a node indicating encrypted traffic with an ID number i.
E={e ij ,e pq ,e xy V.represents a set of undirected edges, if v i And v j Has a relationship of e ij 1, if v i And v j If there is no relation, then e ij =0;v i When the feature expression is carried out, attribute features and image features are spliced and expressed, namely v i ={x i ,y i I.e. v i There are two representations x i And y i Wherein x is i Representing a set of attribute features, y i A gray scale map is represented.
Wherein v is i And v j The method for judging whether the relationship exists comprises the following steps:
firstly, the similarity between each node and the rest of nodes is calculated, that is, a gray-scale map of each encrypted flow adopts a related algorithm in the image processing field, for example: a Heat Kernel algorithm, which calculates the similarity between the node and the rest nodes;
then, according to the similarity, constructing a similarity matrix S:
Figure BDA0003228804070000081
wherein S is ij Display sectionSimilarity of point i and node j, S 11 =S 22 =···=S NN =1;
S ij The calculation formula of (c) is:
Figure BDA0003228804070000082
where t is a time parameter in the heat conduction equation.
And finally, obtaining an adjacent matrix A according to the similarity matrix S:
Figure BDA0003228804070000083
wherein if and only if S ij At S i1 To S iN When the first K rows are in middle row, a ij 1, in the rest cases a ij =0;
When the certificate authority and the certificate authority of the encrypted traffic are the same and a ij When the value is equal to 0, then e ij 1 is ═ 1; rest cases e ij =a ij
X={x 1 ,x 2 ,x 3 V. represents a set of node attributes, x i Representing the statistical characteristics of the node with ID number i.
S3: and extracting the characteristics of the encrypted traffic to be detected, and inputting the characteristics into the trained GraphSAGE graph model to judge whether the encrypted traffic is malicious or not.
For any encrypted traffic, inputting the characteristics of the encrypted traffic into a trained GraphSAGE graph model, wherein the GraphSAGE graph model can automatically judge whether the encrypted traffic is malicious traffic or not.
In other embodiments, other characteristics of the marked encrypted traffic can be extracted to train the GraphSAGE graphic model, and the GraphSAGE graphic model adopted by the embodiment has good flexibility and expansibility.
The malicious encrypted flow detection method based on graph analysis provided by the embodiment of the invention has the beneficial effects that:
1. the detection method comprises the steps of firstly extracting the marked features of the encrypted flow, training a model by using the features, then extracting the features of the encrypted flow to be detected, and inputting the trained GraphSAGE graph model, so that whether the encrypted flow to be detected is malicious or not can be judged, whether the encrypted flow is malicious or not can be judged quickly and accurately, and the encrypted flow does not need to be decrypted;
2. the detection method considers the correlation between the features and the correlation between the flow and the flow, utilizes the attribute features to construct a KNN graph, utilizes the image similarity to construct an association relation, fuses the two types of features from the association angle, and is simple and high in accuracy.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (9)

1. A malicious encrypted traffic detection method based on graph analysis is characterized by comprising the following steps:
extracting the marked features of the encrypted flow, wherein the features comprise statistical features and image features, and the statistical features comprise connection features, SSL features and certificate features;
training a GraphSAGE graph model by using the characteristics of the encrypted traffic;
and extracting the characteristics of the encrypted traffic to be detected, and inputting the trained GraphSAGE graph model to judge whether the encrypted traffic is malicious or not.
2. The graph analysis-based malicious encrypted traffic detection method according to claim 1, wherein a sample format of the encrypted traffic that has been flagged is: [ tag, ID number, feature, G ];
wherein the label indicates that the encrypted traffic is malicious traffic or normal traffic;
the ID number represents the identity of the encrypted traffic;
the features represent statistical or image features;
said G is represented as G ═ V, E, X;
wherein V ═ { V ═ V 1 ,v 2 ,v 3 V. is a set of nodes of image features of the encrypted traffic, v i A node indicating encrypted traffic of ID number i;
E={e ij ,e pq ,e xy v.represents a set of undirected edges, if v i And v j Has a relationship of e ij 1, if v i And v j If there is no relation, then e ij =0;
X={x 1 ,x 2 ,x 3 V. represents a set of node attributes, x i Representing the statistical characteristics of the node with ID number i.
3. The graph analysis-based malicious encrypted traffic detection method according to claim 2, wherein v is i ={x i ,y i I.e. v i There are two representations x i And y i Wherein x is i Representing a set of attribute features, y i A gray scale map is represented.
4. The graph analysis-based malicious encrypted traffic detection method according to claim 2 or 3, wherein v is i And v j The method for judging whether the relation exists comprises the following steps:
calculating the similarity of each node and the rest nodes;
according to the similarity, constructing a similarity matrix S:
Figure FDA0003697437600000021
wherein S is ij Representing the similarity of node i and node j, S 11 =S 22 =···=S NN =1;
Obtaining an adjacent matrix A according to the similarity matrix S:
Figure FDA0003697437600000022
wherein, if and only if S ij At S i1 To S iN When the middle row is K front, a ij 1, in the rest cases a ij =0;
When the certificate authority and the certificate authority of the encrypted traffic are the same and a ij When equal to 0, then e ij 1; rest cases e ij =a ij
5. The malicious encrypted traffic detection method based on graph analysis according to claim 1 or 2, wherein the method for extracting the statistical features comprises:
analyzing the sample data of the encrypted flow to generate a log file;
extracting the connection feature, the SSL feature and the certificate feature from the log file.
6. The graph analysis-based malicious encrypted traffic detection method according to claim 5, wherein the log files include a conn.log file, a ssl.log file, and an x509.log file, and the step of extracting the connection feature, the SSL feature, and the certificate feature from the log files comprises:
log file of said conn.log file;
extracting said SSL features from said ssl.log file;
extracting the certificate features from the x509.log file.
7. The malicious encrypted traffic detection method based on graph analysis according to claim 1 or 2, wherein the method for extracting the image features comprises:
flow segmentation: splitting the continuous original encrypted flow into a plurality of session files;
flow cleaning: deleting information data in the session file, wherein the information data can interfere with the classification result and can cause the model to generate deviation;
generating a picture: and processing the cleaned session file to generate the image characteristics.
8. The graph analysis-based malicious encrypted traffic detection method according to claim 7, wherein the picture generation step comprises:
carrying out uniform length processing on the first 784 bytes of the cleaned session file;
converting into an integer of 0 to 255 in units of bytes so that each byte corresponds to a gray pixel value;
784 bytes are arranged into a matrix of 28 × 28, and are constructed into a grayscale image with 28 pixels wide and 28 pixels high, and the grayscale image is the image feature.
9. The graph analysis-based malicious encrypted traffic detection method according to claim 8, wherein the step of performing uniform length processing on the first 784 bytes of the flushed session file comprises:
for the session file with the file length larger than 784 bytes, intercepting the length of the first 784 bytes of the session file;
for the session file with a file length of less than 784 bytes, 0x00 is supplemented behind the session file until the file length is 784 bytes.
CN202110980179.1A 2021-08-25 2021-08-25 Malicious encrypted traffic detection method based on graph analysis Active CN113691537B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110980179.1A CN113691537B (en) 2021-08-25 2021-08-25 Malicious encrypted traffic detection method based on graph analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110980179.1A CN113691537B (en) 2021-08-25 2021-08-25 Malicious encrypted traffic detection method based on graph analysis

Publications (2)

Publication Number Publication Date
CN113691537A CN113691537A (en) 2021-11-23
CN113691537B true CN113691537B (en) 2022-07-26

Family

ID=78582374

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110980179.1A Active CN113691537B (en) 2021-08-25 2021-08-25 Malicious encrypted traffic detection method based on graph analysis

Country Status (1)

Country Link
CN (1) CN113691537B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111835769A (en) * 2020-07-14 2020-10-27 南方电网科学研究院有限责任公司 Malicious traffic detection method, device, equipment and medium based on VGG neural network
CN112468487A (en) * 2020-11-25 2021-03-09 清华大学 Method and device for realizing model training and method and device for realizing node detection
CN112565308A (en) * 2021-02-26 2021-03-26 北京邮电大学 Malicious application detection method, device, equipment and medium based on network traffic

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109120627B (en) * 2018-08-29 2021-07-13 重庆邮电大学 6LoWPAN network intrusion detection method based on improved KNN
US11082438B2 (en) * 2018-09-05 2021-08-03 Oracle International Corporation Malicious activity detection by cross-trace analysis and deep learning
CN112818257B (en) * 2021-02-19 2022-09-02 北京邮电大学 Account detection method, device and equipment based on graph neural network
CN113141360B (en) * 2021-04-21 2022-06-28 建信金融科技有限责任公司 Method and device for detecting network malicious attack

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111835769A (en) * 2020-07-14 2020-10-27 南方电网科学研究院有限责任公司 Malicious traffic detection method, device, equipment and medium based on VGG neural network
CN112468487A (en) * 2020-11-25 2021-03-09 清华大学 Method and device for realizing model training and method and device for realizing node detection
CN112565308A (en) * 2021-02-26 2021-03-26 北京邮电大学 Malicious application detection method, device, equipment and medium based on network traffic

Also Published As

Publication number Publication date
CN113691537A (en) 2021-11-23

Similar Documents

Publication Publication Date Title
Torroledo et al. Hunting malicious TLS certificates with deep neural networks
Liu et al. An Improved Image Encryption Algorithm based on Chaotic System.
CN113469234A (en) Network flow abnormity detection method based on model-free federal meta-learning
CN113949531B (en) Malicious encrypted flow detection method and device
Ke et al. Steganography security: Principle and practice
CN111224946A (en) TLS encrypted malicious traffic detection method and device based on supervised learning
WO2023173790A1 (en) Data packet-based encrypted traffic classification system
CN113676348A (en) Network channel cracking method, device, server and storage medium
Satoh et al. A flow-based detection method for stealthy dictionary attacks against Secure Shell
Prajapat et al. Time variant approach towards symmetric key
CN116346418A (en) DDoS detection method and device based on federal learning
Liu et al. A survey on encrypted traffic identification
Junior Gabriel et al. Post-quantum crystography system for secure electronic voting
Tong et al. BFSN: a novel method of encrypted traffic classification based on bidirectional flow sequence network
Nardo et al. A reliable chaos-based cryptography using Galois field
Arslan et al. A study on the use of quantum computers, risk assessment and security problems
Cheng et al. Encrypted traffic identification based on n-gram entropy and cumulative sum test
Abuhaiba et al. Image encryption using chaotic map and block chaining
Wen et al. Exploring the future application of UAVs: face image privacy protection scheme based on chaos and DNA cryptography
CN113691537B (en) Malicious encrypted traffic detection method based on graph analysis
Singh et al. To design a genetic algorithm for cryptography to enhance the security
Jolfaei et al. Image encryption using HC-128 and HC-256 stream ciphers
CN111371727A (en) Detection method for NTP protocol covert communication
Liu et al. Analysis on an image encryption algorithm
CN114218603A (en) Method and system for saving data by using block chain based on domestic CPU and OS

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant